Approved Date – 02/22/2021
Published Date – 02/22/2021
Revised Date – 05/25/2021
To ensure the establishment of security measures that address the risk that may arise from the acquisition of systems and services by the District of Columbia Government (“District”).
DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District. This document can be found at: https://code.dccouncil.us/dc/council/code/sections/1-1402.html.
This policy applies to all District workforce members responsible for application identity and role definition on behalf of the District, and/or any District agency/District/entity who receive enterprise services from OCTO. In addition, this policy applies to any providers and third-party entities with access to District information, networks, and applications.
4.1. Allocation of Resources
District agency must:
- Determine information security requirements for the information system or information system service in mission/business process planning.
- Determine, document, and allocate the resources required to protect the information system or information system service as part of its capital planning and investment control process.
- Establish a discrete line item for information security in organizational programming and budgeting documentation.
4.2. System Development Life Cycle
District agency must:
- Manage the system using the District System Development Lifecycle and the District Software Development Lifecycle that incorporates information security considerations.
- Define and document information security roles and responsibilities throughout the system development life cycle.
- Identify individuals having information security roles and responsibilities.
- Integrate the organizational information security risk management process into system development life cycle activities.
4.3. Acquisition Process
The District agency must include the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service per applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:
- Security functional requirements.
- Security strength requirements.
- Security assurance requirements
- Security-related documentation requirements.
- Requirements for protecting security-related documentation.
- Description of the information system development environment and the environment in which the system is intended to operate.
- Acceptance criteria.
4.4. Information System Documentation
District agency must:
- Obtain administrator documentation for the information system, system component, or information system service that describes:
- Secure configuration, installation, and operation of the system, component, or service.
- Effective use and maintenance of security functions/mechanisms.
- Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions.
- Obtain user documentation for the information system, system component, or information system service that describes:
- User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms.
- Methods for user interaction, which enables individuals to use the system, component, or service more securely.
- User responsibilities in maintaining the security of the system, component, or service.
- Document attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes appropriate action in terms of penalties as documented in the contract in response.
- Protect documentation as required, per the risk management strategy.
- Distribute documentation to relevant stakeholders that need to know.
4.5. Security Engineering Principles
The District agency must apply information system security engineering principles in the specification, design, development, implementation, and modification of the information system.
4.6. External Information System Services
District agency must:
- Require that providers of external information system services comply with organizational information security requirements and employ appropriate security controls per applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
- Define and documents government oversight and user roles and responsibilities regarding external information system services.
- Employ checks to monitor security control compliance by external service providers on an ongoing basis.
4.7. Developer Configuration Management
Districts agency must require the developer of the information system, system component, or information system service to:
- Perform configuration management throughout system, component, or service design during all phases of the SDLC.
- Document, manage, and control the integrity of changes to the defined configuration items that are under configuration management.
- Implement only approved changes to the system, component, or service.
- Document approved changes to the system, component, or service and the potential security impacts of such changes.
- Track security flaws and flaw resolution within the system, component, or service and report findings.
4.8. Developer Testing and Evaluation
The District agency must require the developer of the information system, system component, or information system service to:
- Create and implement a security assessment plan.
- Perform unit; integration; system; regression testing/evaluation.
- Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation.
- Implement a verifiable flaw remediation process.
- Correct flaws identified during security testing/evaluation.
4.9. Unsupported System Components
The District agency must replace system components when support for the components is no longer available from the developer, vendor, or manufacturer.
Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.
The definition of the terms used in this document can be found in the Policy Definitions website.